cryptsetup

dm-crypt and LUKS encrypted volume manager

TLDR

Initialize LUKS volume

$ cryptsetup luksFormat /dev/sda1

Open LUKS volume

$ cryptsetup open /dev/sda1 mapping_name

Show mapping status

$ cryptsetup status mapping_name

Close mapping

$ cryptsetup close mapping_name

Change passphrase

$ cryptsetup luksChangeKey /dev/sda1

SYNOPSIS

cryptsetup action [OPTIONS] device [name]

cryptsetup manages dm-crypt and LUKS (Linux Unified Key Setup) encrypted volumes. It provides disk encryption for protecting data at rest, supporting multiple key slots, strong encryption algorithms, and header backup/restore.

PARAMETERS

luksFormat device

Initialize a LUKS encrypted volume (destroys all data)

open device name

Open encrypted device and create mapping at /dev/mapper/name

close name

Remove an existing mapping

status name

Display information about an active mapping

luksChangeKey device

Change the passphrase for a LUKS volume

luksAddKey device

Add a new passphrase to a key slot

luksRemoveKey device

Remove a passphrase from a key slot

luksDump device

Display LUKS header information

luksHeaderBackup device

Backup LUKS header to a file

isLuks device

Check if device is a LUKS volume

benchmark

Benchmark encryption algorithms

--type type

Specify encryption type (luks, luks2, plain)

--cipher cipher

Encryption cipher specification

--key-size bits

Encryption key size in bits

--hash hash

Hash algorithm for LUKS header

CONFIGURATION

/etc/crypttab

Defines encrypted volumes to unlock at boot.

CAVEATS

Losing all passphrases means permanent data loss. Always backup LUKS headers. Formatting destroys all existing data. The encrypted device must be opened before it can be mounted.

HISTORY

cryptsetup was created by Jana Saout (dm-crypt) and Clemens Fruhwirth (LUKS). LUKS was introduced in 2004 to provide a standard on-disk format for encrypted volumes. LUKS2 was added in 2017 with improved header flexibility and Argon2 key derivation.